Australians would be able to demand companies delete their personal information under a European-style overhaul of privacy laws that will be considered by the federal government.
In a landmark review released this week, the Attorney-General’s department made 116 recommendations to improve the protection of personal data.
The review comes just months after millions of Australians had their information stolen in massive hacks of major corporations like Optus and Medibank.
Recommendations range from giving Australians far more control over their personal information – including a right to be forgotten – and new rules that would restrict how businesses can use personal information.
The review also calls for the scope of privacy protections to be widened to currently exempt groups like small businesses and political parties.
Laws lag digital changes
Attorney-General Mark Dreyfus said the government will consider which of the recommendations to adopt in a looming overhaul of privacy laws.
“The Privacy Act has not kept pace with the changes in the digital world,” Mr Dreyfus said in a statement.
“The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams,” Mr Dreyfus said.
“The Australian people rightly expect greater protections, transparency and control over their personal information, and the release of this report begins the process of delivering on those expectations.”
Key recommendations
The 320-page privacy review backs several key reforms including:
- Improving the control Australians have over their personal data by introducing a right to erasure and a right to opt-out of data collection, modelled on European GDPR laws.
- Expanding which organisations and businesses are covered by privacy laws, including small businesses and political parties.
- New restrictions on how businesses handle and store personal information, including a principle requiring “fair and reasonable” use.
- Expanding the types of data covered by privacy protections to include information taken for marketing and targeting; location tracking information; and even data about genes.
- A tougher approach towards data breaches that would see companies required to inform the public sooner after a hack and force them to periodically review data they collect.
The review said the vulnerability of Australian personal information has been highlighted by the theft of massive swathes of data from Medibank and Optus last year, and that laws must now be changed to better protect people and ensure companies are using data responsibly.
“The best way to protect personal information is for entities to minimise the amount of personal information they collect and retain,” it said.
Reforms are ‘long overdue’
If all the recommendations put to the government were adopted it would be the biggest overhaul of privacy laws since their inception in 1988.
An overhaul of Australia’s Privacy Act is “long overdue” and could prompt big changes from firms, senior lecturer in computing and security at Edith Cowan University, Mohiuddin Ahmed, said.
In particular, he suggested a new requirement to report data breaches to regulators within 72 hours might change how firms respond to hacks.
“It would be interesting to see whether large enterprises report the breach to [the] Information Commissioner within three days or continue their in-house investigation and incident response to save their business reputation,” Dr Ahmed said.
David Vaile, chair of the Australian Privacy Foundation, said the recommendations are significant, but doubted whether the federal government would act on everything in the report.
“As they did in 2013, when belatedly responding (after a five-year delay) to the 2008 ALRC review of privacy law, which recommended many of the same things here, I think it is quite likely they will pick and choose, doing the easy things and claiming to be reformers while leaving the hard things to the never-never,” Mr Vaile told The New Daily.
